OK, I tried using Smart Update on an empty pre-encrypted APFS volume - and it worked perfectly
When SuperDuper completes the backup, the target volume is preserved as "APFS (Encrypted)" - and when I boot from it the following happens:
- First I get a prompt for "Disk Password", which only accepts the high-entropy random passphrase. The macOS account passwords are not accepted here.
- Then it appears to decrypt the drive (progress bar takes quite a long time)
- Finally a regular macOS login screen appears, where I can log in with one of the macOS accounts
This is the exact behaviour I wanted - a bootable, encrypted clone that requires a distinct passphrase.
It's interesting that the prompt for the disk passphrase says "Disk Password" rather than login for user "[Update Needed]".
Looking back at my notes, when I was using HFS+ the disk passphrase prompts were very inconsistent. Sometimes it was "Disk Password", sometimes it was both "Disk Password" and "Guest User", and other times it was both "Updated Needed" and "Guest User". It seemed to be random which one appeared. I've no idea why. I wonder if it's more consistent now with APFS.